MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 210468bf9c97e5bbae46e464625550d20079fb3766ad33d490f06e0cd037163a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 10
Maldoc score: 11
| SHA256 hash: | 210468bf9c97e5bbae46e464625550d20079fb3766ad33d490f06e0cd037163a |
|---|---|
| SHA3-384 hash: | 5994e642f8a6ce5329a859fbbba55533f0811a990ca438f010ba02513f261863379e3b5f38c996114d06219944e59087 |
| SHA1 hash: | e44e018503f87fa50b1ad1e7e56a3f4a3b56eff9 |
| MD5 hash: | 0ab5d82db3541b40b3ef56d03efe8a3f |
| humanhash: | oregon-texas-network-sixteen |
| File name: | Document_2039517850_12162020.xls |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 55'808 bytes |
| First seen: | 2020-12-16 19:06:34 UTC |
| Last seen: | 2020-12-16 20:35:59 UTC |
| File type: |  xls |
| MIME type: | application/vnd.ms-excel |
| ssdeep | 1536:C7uDphYHceXVhca+fMHLtyeGxcl8OUM+RfsVrCvaBf5:C7uDphYHceXVhca+fMHLtyeGxcl8OUMN |
| TLSH | 4143D56AB7A5C85AE504473589E397D7333BFC404FA7078B3298B30F6EB95904A03A57 |
| Reporter |  ffforward |
| Tags: | Qakbot qbot Quakbot xls |
Office OLE Information
This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.
OLE id
| Maldoc score: 11 |
| Application name is Microsoft Excel |
| Office document is in OLE format |
| Office document contains VBA Macros |
OLE dump
MalwareBazaar was able to identify 15 sections in this file using oledump:
| Section ID | Section size | Section name |
|---|---|---|
| 1 | 102 bytes | CompObj |
| 2 | 272 bytes | DocumentSummaryInformation |
| 3 | 208 bytes | SummaryInformation |
| 4 | 38702 bytes | Workbook |
| 5 | 535 bytes | _VBA_PROJECT_CUR/PROJECT |
| 6 | 65 bytes | _VBA_PROJECT_CUR/PROJECTwm |
| 7 | 2728 bytes | _VBA_PROJECT_CUR/VBA/_VBA_PROJECT |
| 8 | 1308 bytes | _VBA_PROJECT_CUR/VBA/__SRP_0 |
| 9 | 188 bytes | _VBA_PROJECT_CUR/VBA/__SRP_1 |
| 10 | 360 bytes | _VBA_PROJECT_CUR/VBA/__SRP_2 |
| 11 | 190 bytes | _VBA_PROJECT_CUR/VBA/__SRP_3 |
| 12 | 532 bytes | _VBA_PROJECT_CUR/VBA/dir |
| 13 | 976 bytes | _VBA_PROJECT_CUR/VBA/1 |
| 14 | 976 bytes | _VBA_PROJECT_CUR/VBA/2 |
| 15 | 2953 bytes | _VBA_PROJECT_CUR/VBA/ |
OLE vba
MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:
| Type | Keyword | Description |
|---|---|---|
| AutoExec | Auto_Open | Runs when the Excel Workbook is opened |
| Suspicious | RUN | May run an executable file or a system command |
| Suspicious | Lib | May run code from a DLL |
| Suspicious | URLDownloadToFileA | May download files from the Internet |
| Suspicious | EXEC | May run an executable file or a system |
| Suspicious | Hex Strings | Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) |
Intelligence
File Origin
# of uploads :
2
# of downloads :
342
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Document_2039517850_12162020.xls
Verdict:
Malicious activity
Analysis date:
2020-12-16 19:08:12 UTC
Tags:
macros
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
True
Detection(s):
TwinWave.EvilDoc.DOCXSTRGOOD.AOEX4.BITSNEEDEDFOR.URLDOWNLOADTOFILE.200327.UNOFFICIAL
TwinWave.EvilDoc.DOCXSTRGOOD.AOEX4.BITSNEEDEDFOR.URLDOWNLOADTOFILE.200415.UNOFFICIAL
TwinWave.EvilDoc.Excel4Macro.HiddenSheetDLWAKEUP.20200310.UNOFFICIAL
TwinWave.EvilDoc.HiddenSheetExcel4LureRecognizer.20200915.UNOFFICIAL
TwinWave.EvilDoc.QakbotTheDuck.20200928.UNOFFICIAL
TwinWave.EvilDoc.Excel4MagicPalmersArcade.20201207.UNOFFICIAL
TwinWave.EvilDoc.DOCXSTRGOOD.AOEX4.BITSNEEDEDFOR.URLDOWNLOADTOFILE.200415.UNOFFICIAL
TwinWave.EvilDoc.Excel4Macro.HiddenSheetDLWAKEUP.20200310.UNOFFICIAL
TwinWave.EvilDoc.HiddenSheetExcel4LureRecognizer.20200915.UNOFFICIAL
TwinWave.EvilDoc.QakbotTheDuck.20200928.UNOFFICIAL
TwinWave.EvilDoc.Excel4MagicPalmersArcade.20201207.UNOFFICIAL
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
DNS request
Sending an HTTP GET request
Launching a process by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Document image
Image:
Result
Verdict:
MALICIOUS
Details
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Macro with DLL Reference
Detected macro logic that will load additional functionality from Dynamically Linked Libraries (DLLs). While not explicitly malicious, this is a common tactic for accessing APIs that are not otherwised exposed via Visual Basic for Applications (VBA).
Autostarting Excel Macro Sheet
Excel contains Macrosheet logic that will trigger automatically upon document open.
Threat name:
Document-Excel.Downloader.EncDoc
Status:
Malicious
First seen:
2020-12-16 19:07:04 UTC
AV detection:
16 of 47 (34.04%)
Threat level:
3/5
Detection(s):
Malicious file
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:abc114 campaign:1608129413 banker cryptone macro packer stealer trojan
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Program crash
Loads dropped DLL
CryptOne packer
Qakbot/Qbot
Process spawned unexpected child process
Malware Config
C2 Extraction:
86.127.22.190:443
35.139.242.207:443
108.190.194.146:2222
187.213.199.54:443
68.83.89.188:443
41.233.152.232:993
196.151.252.84:443
181.208.249.141:443
172.87.134.226:443
96.27.47.70:2222
83.110.109.78:2222
93.86.1.159:995
217.162.149.212:443
80.11.210.247:443
72.252.201.69:443
185.163.221.77:2222
189.62.175.92:22
95.76.27.6:443
45.77.115.208:443
187.213.82.104:995
47.44.217.98:443
91.138.177.114:2222
72.240.200.181:2222
71.182.142.63:443
90.53.103.26:2222
81.97.154.100:443
45.118.216.157:443
70.118.146.154:995
83.202.68.220:2222
86.97.221.121:443
67.141.11.98:443
184.189.122.72:443
189.150.111.8:2222
24.229.150.54:995
200.38.254.177:443
109.106.69.138:2222
5.204.148.208:995
109.154.79.222:2222
190.220.8.10:995
87.27.110.90:2222
65.48.208.194:443
78.101.130.59:995
75.136.26.147:443
47.138.204.19:443
140.82.49.12:443
41.205.16.222:443
67.6.54.180:443
80.227.5.70:443
193.248.154.174:2222
93.148.241.179:2222
67.249.12.146:443
109.205.204.229:2222
90.201.21.58:443
50.29.166.232:995
144.202.38.185:995
149.28.99.97:443
45.77.115.208:995
144.202.38.185:443
149.28.101.90:2222
149.28.99.97:995
149.28.101.90:995
149.28.98.196:2222
209.137.209.158:443
144.202.38.185:2222
45.63.107.192:995
45.63.107.192:443
149.28.99.97:2222
217.39.74.146:2222
82.12.157.95:995
45.63.107.192:2222
149.28.98.196:443
66.97.247.15:443
149.28.98.196:995
108.46.145.30:443
78.101.158.1:61201
103.110.6.151:2087
5.12.11.200:443
78.63.226.32:443
46.53.14.19:443
116.240.78.45:995
75.67.192.125:443
161.142.217.62:443
151.60.38.21:443
86.98.21.136:443
188.26.59.21:443
75.109.180.221:995
217.128.117.218:2222
78.181.19.134:443
5.2.212.254:443
35.136.78.225:443
24.122.0.90:443
68.131.19.52:443
197.57.67.109:443
78.154.28.105:443
2.49.219.254:22
187.155.59.73:443
83.110.213.25:443
2.50.143.154:2222
85.105.29.218:443
151.61.125.180:2222
72.93.55.22:443
39.32.147.77:995
151.73.121.136:443
24.29.30.31:443
45.77.115.208:2222
72.214.55.195:995
208.93.202.41:443
2.7.69.217:2222
81.88.254.62:443
41.225.231.43:443
62.116.43.76:53
85.101.187.146:443
73.94.229.115:443
190.31.192.34:443
51.223.138.251:443
92.154.83.96:1194
65.131.41.96:995
90.61.38.208:2222
86.122.248.164:2222
74.222.204.82:995
190.128.215.174:443
86.245.82.249:2078
188.27.116.133:443
80.195.103.146:2222
85.60.132.8:2087
74.129.26.119:443
71.58.19.33:443
189.183.206.114:443
180.151.233.178:443
41.176.38.114:995
80.11.5.65:2222
196.221.77.89:995
75.136.40.155:443
86.121.3.80:443
24.139.72.117:443
94.52.68.72:443
2.91.9.248:443
79.129.252.62:2222
5.193.148.126:2078
72.36.59.46:2222
2.50.159.19:2222
37.105.7.219:995
196.204.207.111:443
105.198.236.99:443
184.179.14.130:22
203.106.116.190:443
81.150.181.168:2222
155.186.9.160:443
2.91.235.94:443
83.110.13.182:2222
35.139.242.207:443
108.190.194.146:2222
187.213.199.54:443
68.83.89.188:443
41.233.152.232:993
196.151.252.84:443
181.208.249.141:443
172.87.134.226:443
96.27.47.70:2222
83.110.109.78:2222
93.86.1.159:995
217.162.149.212:443
80.11.210.247:443
72.252.201.69:443
185.163.221.77:2222
189.62.175.92:22
95.76.27.6:443
45.77.115.208:443
187.213.82.104:995
47.44.217.98:443
91.138.177.114:2222
72.240.200.181:2222
71.182.142.63:443
90.53.103.26:2222
81.97.154.100:443
45.118.216.157:443
70.118.146.154:995
83.202.68.220:2222
86.97.221.121:443
67.141.11.98:443
184.189.122.72:443
189.150.111.8:2222
24.229.150.54:995
200.38.254.177:443
109.106.69.138:2222
5.204.148.208:995
109.154.79.222:2222
190.220.8.10:995
87.27.110.90:2222
65.48.208.194:443
78.101.130.59:995
75.136.26.147:443
47.138.204.19:443
140.82.49.12:443
41.205.16.222:443
67.6.54.180:443
80.227.5.70:443
193.248.154.174:2222
93.148.241.179:2222
67.249.12.146:443
109.205.204.229:2222
90.201.21.58:443
50.29.166.232:995
144.202.38.185:995
149.28.99.97:443
45.77.115.208:995
144.202.38.185:443
149.28.101.90:2222
149.28.99.97:995
149.28.101.90:995
149.28.98.196:2222
209.137.209.158:443
144.202.38.185:2222
45.63.107.192:995
45.63.107.192:443
149.28.99.97:2222
217.39.74.146:2222
82.12.157.95:995
45.63.107.192:2222
149.28.98.196:443
66.97.247.15:443
149.28.98.196:995
108.46.145.30:443
78.101.158.1:61201
103.110.6.151:2087
5.12.11.200:443
78.63.226.32:443
46.53.14.19:443
116.240.78.45:995
75.67.192.125:443
161.142.217.62:443
151.60.38.21:443
86.98.21.136:443
188.26.59.21:443
75.109.180.221:995
217.128.117.218:2222
78.181.19.134:443
5.2.212.254:443
35.136.78.225:443
24.122.0.90:443
68.131.19.52:443
197.57.67.109:443
78.154.28.105:443
2.49.219.254:22
187.155.59.73:443
83.110.213.25:443
2.50.143.154:2222
85.105.29.218:443
151.61.125.180:2222
72.93.55.22:443
39.32.147.77:995
151.73.121.136:443
24.29.30.31:443
45.77.115.208:2222
72.214.55.195:995
208.93.202.41:443
2.7.69.217:2222
81.88.254.62:443
41.225.231.43:443
62.116.43.76:53
85.101.187.146:443
73.94.229.115:443
190.31.192.34:443
51.223.138.251:443
92.154.83.96:1194
65.131.41.96:995
90.61.38.208:2222
86.122.248.164:2222
74.222.204.82:995
190.128.215.174:443
86.245.82.249:2078
188.27.116.133:443
80.195.103.146:2222
85.60.132.8:2087
74.129.26.119:443
71.58.19.33:443
189.183.206.114:443
180.151.233.178:443
41.176.38.114:995
80.11.5.65:2222
196.221.77.89:995
75.136.40.155:443
86.121.3.80:443
24.139.72.117:443
94.52.68.72:443
2.91.9.248:443
79.129.252.62:2222
5.193.148.126:2078
72.36.59.46:2222
2.50.159.19:2222
37.105.7.219:995
196.204.207.111:443
105.198.236.99:443
184.179.14.130:22
203.106.116.190:443
81.150.181.168:2222
155.186.9.160:443
2.91.235.94:443
83.110.13.182:2222
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | ach_Quakbot_xls_20201020 |
|---|---|
| Author: | abuse.ch |
| Description: | Detects Quakbot XLS |
| Rule name: | Excel_Hidden_Macro_Sheet |
|---|
| Rule name: | SUSP_EnableContent_String_Gen |
|---|---|
| Author: | Florian Roth |
| Description: | Detects suspicious string that asks to enable active content in Office Doc |
| Reference: | Internal Research |
| Rule name: | SUSP_Excel4Macro_AutoOpen |
|---|---|
| Author: | John Lambert @JohnLaTwC |
| Description: | Detects Excel4 macro use with auto open / close |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.